I am making an Ecommerce website which should allow Paypal payments, using Smart Checkout Buttons. My worry is that everyone can Curl my website, getting the raw HTML+js page and edit the purchase unit values. Once they've done that they could run the webpage, the js code will be executed, the button gets rendered with fake values, and they could fake the payment (with less money). Is that true? And are there any solutions still using the Smart Button (Without the REST API)?
I cannot create manually the buttons since there will be many articles which are sold by different users.
paypal.Buttons({
// Set up the transaction
createOrder: function(data, actions) {
var o = actions.order.create({
purchase_units: [{
amount: {
value: '30.99' //Can users change this ?
},
payee: {
email_address: 'sb-qloys3515897@business.example.com'//email of the sellers
}
}]
})
return o;
},
// Finalize the transaction
onApprove: function(data, actions) {
console.log(details);
return actions.order.capture().then(function(details) {
// Show a success message to the buyer
//alert('Transaction completed by ' + details.payer.name.given_name + '!');
alert(details);
});
}
}).render('#paypal-button-container');
If you use client-side code only then yes, anyone can edit that client side code right in their browser and pay you any amount they wish, from $0.01 to tens of thousands of dollars.
If this scenario concerns you, then a client-side only integration is obviously too simple for you, and you should instead implement one with your server that does the validation you desire.
Create two routes on your server, one for 'Set Up Transaction' and one for 'Capture Transaction', documented here.
Then have your PayPal button call those two routes; here is the best demo code: https://developer.paypal.com/demo/checkout/#/pattern/server